Posted
by
timothy
on Monday February 14, 2005 @09:06PM
from the smarter-decisions-safer-world dept.

swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."

You should continue to check your credit reports frequently for the next year.

If I get the notification, I'm going to request that ChoicePoint pay the costs for me to subscribe to unlimited credit report access from all three credit bureaus. IIRC, that costs about $100/year for each bureau. Since it's ChoicePoint's screwup, I shouldn't have to pay the costs necessary for early detection of fraud in my credit report.

The article further quotes ChoicePoint spokesman Chuck Jones:

But ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed

Why the hell are they allowed to keep a dossier on me if they
don't have any mechanism in place to allow them to track how
it is used and by whom? This is insane!

The correct solution to this problem, IMNSHO, is for the courts
to determine that personal, financial, and credit records relating
to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL,
and may not be provided to any other party without the owner's
explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

The problem with that approach, of course, is that it requires the granting of "copyright" and the associated powers to individuals, and not the ??AA. Or other money-grubbing corporations. Who's gonna support that?

Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.

Probably won't happen, however. In fact, we are going in the other direction and the companies that hold your data legally "own" it in most cases.

By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.

Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.

Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?

The real problem is there's no public/private key separation. Your credit card number is a secret key, but must be shared in order to do business with it. Ditto for checking account numbers which make direct deposit possible. The reason boils down to sheer laziness on the part of credit issuers. When there's a problem they can soak the merchants and/or customers, so they haven't bothered to fix the system.

That solves your bank deposit problem. Public/private key separation would solve most of the problems.

As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.

So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.

My pet peeve is that "form filling out" information disclosure should really be kept to the minimum required for the transaction.

If you go into a doctor's office for an ingrown toenail, there's no reason you should have to dump down 57 pieces of data on a form. If I put down that I'm a 27 year old male with no allergies and I can digitally sign that I'm able to pay up to $500 for any services, that should be enough.

Actually, in theory there is no reason for the bank to know anything about you, even including your name or address. I'll construct a simple concrete scenario around your example of an online purchase:

Go to Web site and log in (or otherwise establish your identity--I actually think a secure system should really have at least two security elements of something you have and something you know, but this is getting off the topic here).

Select the merchandise and order it.

The store contacts your computer for payment information.

Your computer asks for confirmation that you made the order.

After confirmation, your computer returns a bank number, an account number, and an authorization to withdraw some money.

The store contacts the bank and asks for money.

For extra security, the bank might double-check with your computer again. (Just an example of what should be user-controllable security settings that could be included in the certificate. If you were really paranoid, you might insist that the bank doublechecks directly with you, especially for larger purchases, but in that case the certificate would also need to include some personal information about you and how to contact you. Your decision whether or not to do that, however.)

There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)

By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.

Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.

Experian is a company in the UK (I believe they may be USian) that holds credit information, and is used by many UK companies to check credit records.

A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".

I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.

Not so long ago, I was surprisingly refused credit. In fairness, that part wasn't Experian's fault; it was down to an automated address database that didn't recognise the correct form of my address and decided I didn't exist. However, during the follow-up enquiries with the credit card company who'd turned me down, I obtained a copy of my credit record from Experian. There were so many minor inaccuracies it was scary. The best bit was when, at 17:05 after speaking to someone there for five minutes (after ab

The problem with this is that *you* don't own the data kept about you. You might have the right to view the data, but you don't own it. Since just about forever, various companies have been tracking various info about people (buying habits, credit history etc). They track these for their benefit (and their customers) - not yours.

When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).

That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.

Actually, it's kind of a reverse technology thing... Not so long ago, almost all of the data about you was stored in your head, and if anyone wanted to know about you, they'd have to ask you questions. For the important stuff, they'd need to check your statements against the witnesses who were involved.

For example, before all this computerization, if you wanted to borrow some money, you told the bank about who you borrowed from in the past, and they would check to see what those people said about the loan

The problem with this is that *you* don't own the data kept about you...When they lose the data, as far as they are concerned they have lost some of their business information

Which is why most developed countries have privacy legislation. "Ownership", in the context of personal information, is about the extent to which individuals can exert control over what happens to that data. Ownership doesn't (or shouldn't) reside with the business alone.

I don't know about the rest of the world; but Argentina grants it's citizens a consitutional right called "Habeas Data" [warwick.ac.uk], which, in a nutshell, specifies that every individual owns his personal information and it can't be disclosed or abused without his consent. This includes medical records, bank accounts, work historials and so. Knowing that most modern constitutions are based on the US one, i thought something similar would be available to Americans.

It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.

Sorry, but that sounds like a terrible idea. What if a reporter learns that the president of the non-profit "Society for objectively studying the environment" used to be an executive for Evil Polluting Corp?

Well, he's entitled not to tell anyone. People can change, you know. This can happen, but now the involved executive has the right to initiate legal actions.

What if a reporter learns that a politician has secret bank accounts where huge sums of money are regularly received?

The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...

Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...

It isn't nearly as simple as that.

Photographers require a release from models they shoot, similarly with tv shows (watch any of those reality shows and you'll occasionally see people who were filmed but would not sign a release, their faces and any other personally identifiable information is blurred out).

The copyright on information belongs to the writer, not the subject of the piece

I created my address by purchasing a house and moving into it. I created my credit history by obtaining credit, using it, and paying it off (or not). I created my salary history by getting a job and drawing a salary. I created my education history, GPA, major, minor, and concentration by getting an education. I created this message. I created my marital status. I created my child, though they are creating original art of

O'Harrow explores how the government is teaming up with private companies to collect massive amounts of data on citizens and how, he writes, "More than ever before, the details about our lives are no longer our own. They belong to the companies that collect them, and the government agencies that buy or demand them in the name of keeping us safe."

The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.

Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.

I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.

A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.

This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.

This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.

Fraud is a cost of business to credit card companies, the only way that the credit card companies would actually pay the price here would be if people actually stopped using them. Short of that drastic and unlikely occurrence any level of theft and fraud will be absorbed and paid by t

as a holder of a merchant account, I can say that you're full of shit. WE bear the brunt of fraud (a.k.a. "Chargebacks")... not only do we lose the money, but we get charged a nice little fee along with it. (usually around $30-40).

oh yeah, and get more than $x percent chargebacks in a year, your account goes *poof*

and you, the merchant, are forced to cover costs by passing it on to customers.

I don't think there's any coincidence that my local coffee shop raised all their prices about the same time they started accepting credit cards, and I appreciate that my favorite local CD store charges a buck fifty per CD extra if you pay with credit cards - that way, I don't have to subsidize other peoples' credit card use when I pay cash.

That said, with the way retailers have to bear the brunt of the damage when someone comm

A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance.

Banks require your social security number for tax reporting purposes. It's a Federal law (you get that 1099-INT each each with interest bearing accounts, for example), as the IRS has a vested interest in your finances. You cannot "opt out", any more than you could opt out of giving your employer your SS#.

You have a point there and I am not sure how she deals with banks; maybe she keeps all her money in Canadian banks.

Also, there are lots of foreign people in the U.S. and elsewhere who have U.S. bank accounts but no SS #. I suspect that banks assign these people arbitrary generated numbers. Perhaps you can go to a bank, tell them you're from Scotland or Uruguay or the South Pole and just open an account without the damn SS number. Of course they may demand a passport.

Now here's an interesting bit of trivia. You can change [ssa.gov] your social security number. It's free and you have to apply, with proof of identity, and also supply a reason why the change is needed. It can be a change of name, threat of domestic violence, identity theft, or even because the numbers are offensive to your religious beliefs. I suppose the latter reason is the best way to change your SS # arbitrarily. However, they say they keep your old number on file and cross referenced, so it may be that someone with your old number could still cause you grief.

according to a new federal law, The Fair and Accurate Credit Transactions Act (passed in Dec 2003) you are entitled to a free comprehensive credit report yearly. The big three have an official website at www.annualcreditreport.com (no link b/c they reject unofficial referals) where you can claim your report. (though its not available yet for the mid and eastern states, it will be by the end of 2005).

...make companies that want to reap the rewards for harvesting and prostituting personal information, also bear the consequences.

One thing I'd have to wonder...what would a company like ChoicePoint be doing with someone's personal data(like Social Security Number), unless they had been explicitly authorized to have it? As far as I'm concerned, ChoicePoint might very well be the unauthorized third party.

The solution is for the government to create a Commision with real power (like the SEC) to police these guys and fine/imprison those found negligent. The information industry has become too critical to be allowed to betray the public trust without serious repercussions. These bastards have had a free ride up to now (ChoicePoint's web page says "ChoicePoint® Reports Record Revenue, EPS").

We need a full investigation. ChoicePoint's liability could be enormous. It is clear a cover-up may be going on.

35,000 Californians will get notices because California law requires it.

The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company.
A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.

Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)

I think it's a fair guess that 300k US citizens have had enough information stolen to make them liable to financial problems.

Now, that data is going to worth a lot of money to someone. There are going to be individuals on that list who could have more $100k stolen each, ergo, the data is worth a multiple of that.

But what if someone leaked it? Disgruntled employees or clients, other blackhats, cleaners, anyone? How wide would a 100MB csv spread on Kazaa? Given the precedent set by spammers, nearly all of those victims could be exploited.

Anyone want to guess the political, economic and cultural impact of 1 in every 10 US citizens becoming bankrupt or even destitute in a matter of months? If it doesn't happen this time, its a ticking time-bomb for the future.

A radical redesign of the modern approach to financial security is overdue.

You're right that legislation would probably be needed to grant ownership of the data to the subject.

And if personal info were copyrighted we would have all sorts of BS like England does where celebrities can sue for being called whiny in print.

I don't think so. "Whiny" is a subjective description, not factual information about a person, and even if there was an objective standard for it, as soon as the person said one whiny thing in a public place, it would no longer be private data.

Yes, but my point isn't just about "whiny". If it's data that can be gathered about you in public, not due to any unintentional lapse of privacy, then it isn't private data, and wouldn't be subject to my proposed ownership arrangement.

For instance, a random entity shouldn't be able to find out what insurance carrier and plan I use. But if I post to Usenet that I subscribe to the Blue Cross HMO plan, then I would no longer be able to assert that as being private data that I exclusively own.

More importantly, they should be held responsible for what happens to people when that stored information is stolen or otherwise misused. And if the punishing of that company for its negligence forces it out of business... tough. It simply isn't enough to say, "Sorry, and oh, by the way, we've implemented some new security policies so this shouldn't happen again. We hope. Once again, sorry for the inconvenience." Really, it's more akin to collecting all kinds of flammable and explosive materials and storing them in a rickety old warehouse in the middle of a populated area. You shouldn't be able to get off with an apology and a promise to do better when that warehouse explodes, flattens the nearby buildings and kills a bunch of people.

Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.

I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.

The question is, what is a reasonable effort to maintain the safety of your data? If a company is making a good faith effort to keep their systems up to date with the latest patches, you probably don't have a reasonable case to sue them. I haven't seen anything that suggests their protection of people's data is analagous to "a rickety old warehouse in the middle of a populated area."

Don't get me wrong; it bugs me that there are companies whose sole purpose is to gather up whatever data they can find on me

I guess my point is that a "good faith effort" is not sufficient. Sometimes you have to do better. Sometimes you have to be required to do better. Now I'm sure that there are some database outfits that have topnotch security (whether they should be allowed to store that personal data is another issue.) But I'd bet dollars to doughnuts that there are a significant number of giant databases out there that are only marginally secured. My example of an exploding warehouse was only meant to point out that the in

Let's say I run an online job market site. IIS backed with SQL server. A blackhat hacker uses an unknown exploit to break in, unauthenticated, to IIS. He then leverages this account to steal SQL credentials (or he uses an unknown SQL vulnerability) and downloads every resume we have on the system.

You're telling me that I should be charged with a crime?

To further your car analogy, you're saying if, while driving, my factory-faulty bumper comes off and brains a passing pedestrian that I should be li

I think you're missing the point here by trying to make a nice complicated story. Essentially in your example, a failure occurs. Failures should not occur in this situation. Therefore a hefty fine is entirely reasonable. If your Tibor character breached internal policies in his mission to acquire this trojan, the company can act against him after they get fined. The financial loss can be their reward for failing to ensure their internal security is properly enforced with respect to people capable of op

Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?

Ordinarily in a case like this a class action would be brought against the company. The "Class Action Fairness Act" will shift class actions from state to federal court. Ostensibly this was done to prevent venue shopping- where you look for the state with the most favorable laws for your class action suit- but it also has the nice property that federal courts rarely agree to hear class action lawsuits, citing differences in state law. The Act effectively puts an end to all class action suits without explicitly banning them.

If you're a victim of identity theft because your Social Security number was compromised by ChoicePoint, you'll have to hire a lawyer yourself, prove that the identity theft was a result of ChoicePoint's negligence, and your case will be heard separately from those filed by any other plantiffs.

This may actually be preferable to a class action. What you wouldn't want to happen in this case is for lots of people to sign their rights away (absolving ChoicePoint of future liability) in exchange for a check that arrives in the mail later to the tune of $53.47 or something that will seem inconsequential once your identity is stolen. Although depending on the egregiousness of the fault, the sum may be greater than that, and it may be in this case. But the point is moot- there will be no class action.

The story says that these things "are seldom limited to a single geographic area"...

SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?

We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.

It's a good start, but I don't think it goes far enough. There's no requirement to publically acknowledge break-ins, only that individuals be notified. For instance, T-Mobile has yet to publically fess up for their year-long security breach [theregister.co.uk] and show no signs of ever doing so.

Well, from a legal standpoint, it certainly does. If there is no law in your state requiring them to do so, then legally they don't have that obligation to you. Morally, I believe they are obligated to, but morality isn't the same as legality now is it?

Actually, this is what happens when the system becomes too objective. The reason we make it subjective is that we are attempting to make things fair. The problem with that is that outside of a fascism it is impossible to make it so, because you cannot reliably enforce all of the laws equally and appropriately. Instead of appointing people we can trust to public offices and other positions of importance, we attempt to construct a system of law that will accurately address every situation. It does not typically believe in mitigating circumstances except in situations where it feels that everyone has done wrong.

Anyway, this is the prison we built for ourselves, and as a result the fact that you happen to live in another state means they do have less obligation to you, as that word has any actual meaning anyway. Otherwise we'd be within our rights to march down there with torches and pitchforks and perforate 'em.

of our information driven world. Something like this was bound to happen eventually and highlights something that really needs to be brought back into the focus of public discource: just how much information should be readily available. Your credit score now is one of your most valuable assets and something you rarely heard about five or ten years ago. Now its mentioned every 30 seconds. Because of the ease of gaining this information, employers, and just about anyone can get your credit score even if legally the shouldn't be.

Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.

The desperate need is for social security numbers to be replaced with an encrypted digital signatures, and when you use it for something there is an authentication test required to prove you know the password to it.

The idea that your life can be destroyed if someone just acquires your name and social security number is insane. Social Security numbers are security through obscurity and they completely stopped working when the Internet came in to being.

My credit is so poor that stealing my identiy is only going to hurt them. I mean they think they are gettign a free ride, but when Rocko breaks down their door looking for past due payments boy will they be in for a suprise, hell this might be the best thing to ever happen to me!

Incidents such as these are actually rather rare. People abusing information collected either through neglect or in other ways is not as common as proper use.

All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.

(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)

If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?

California, population approx 30 million, or 1/10 of the US population.

So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).

So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.

Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.

U.S. Law allows for certain types of personal information to be made available to people for certain reasons, such as the collection of debts. The databases are very interesting to look at (which I have done legitimately in the course of attempting to collect some debts, when my father was working for a company that did that. I found it distasteful and went out of my way to avoid calling anyone, and just doing computer searches...)

The databases basically involve public records from every county in a state describing ownership, professional licenses, et cetera. They often include every piece of information involved in submitting a request for some type of certification. Land deeds, for example, are in there, as well as contractor's licenses. A lot of that information is public record, but the stuff that isn't is the address (that's sometimes but very rarely public) and sometimes social security number. If you can establish that someone was at a certain address, and get a social from that address, hopefully correlating it with another address and matching (or near-matching) social security number, then you can look that ssn up in connection with all kinds of other items. This can connect them to any number of other people who you can bother for their phone number.

Eventually, you can find property, and depending on what state it's in you can sometimes take it away. California makes it pretty hard to do that kind of stuff to someone; you can't take away a home which is also a business, for example, and you can't take away someone's primary automobile -- unless you're the lien holder, that is. Or, well, the federal government.

Notice above I said something about a near-matching SSN? All of this stuff is near-matching. The problem is that someone might write their name (or other information) carefully in one place and illegibly in another. They might of course also forget or "forget" the number and misenter it. Finally, let us not forget the wonders of data entry and the errors therein. Some forms are OCR'd (anything typed) and some were probably hand entered. The record only goes back so far as well, but it's generally pretty far.

Anyway, anyone with a business that has a reason to need to do that kind of thing can get access to those databases. They can tell what you were doing with it, so if you do something naughty, they could tell.

The government is one of ChoicePoint's largest customers, so you can be certain that there will be zero rules and regulations imposed on ChoicePoint or similar companies. Nor will you see any changes to the Fair Credit Reporting Act, which affords no penalty to companies that report wrong information on individuals other than once proven incorrect, it is removed.

If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.

Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.

Maybe having to deal with thousands of peeved off consumers will clean up their act.

For the most part, Choicepoint deals in public records...items that are available to the general public (if you have the time, energy, and knowledge of where to look).

However, there is some data they possess which isn't public records (DMV records mostly) which require special privledges to access. I would hope that they actually review who has access to that information, and not give it out to persons without legitimate needs.

I think the main concern is that fact that this data is aggregated for use, wi

Remember the Florida election of 2000 when a private database company scrubbed thousands of eligible voters from the rolls? Well now one of the co-founders of Database Technologies is back in the headlines -- he's working with law enforcement agents in Florida to create what may soon expand into a national surveillance system. We talk with privacy expert Wayne Madsen, investigative reporter Greg Palast and a top intelligence official from the state of Florida.

When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:

Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!

In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.

So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.

http://www.oldamericancentury.org/oh_republicans .h tm

A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.

http://www.democracynow.org/article.pl?sid=03/08 /0 7/1427223

The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.

Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.

OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.

I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.

Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)

Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist).

Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.

What's the difference between a "legitimate" business that uses my personal info without my permission, and a "criminal" one? Just the law, and perhaps the degree of abuse in which they engage. Today's legit biz is tomorrow's spammer - and sometimes the reverse.

All this info must be protected by copyright. I transfer a copy of my personal info to a receiver in a specific transaction, with the right to copy it only as required to complete that transaction, unless expressly allowed otherwise. When they "shar

I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.

This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.

I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it.
Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.

Rather than taking extreme measures to ensure that social security numbers are kept private, people need to simply stop pretending that a social security number is some sort of magic password that can be used to prove that someone is who they claim to be. SSNs should be treated about the same as phone numbers; assume that everyone has one, but also assume that everyone knows it.

An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?

Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.

"The firm was only given clearance by law enforcement officials to disclose the incident two weeks ago, Lee said"

Now why exactly would they need permission to tell me (if I were a CA resident) that I should be worried about my data being misused? The certainly didn't need any cop's permission to amass it, not to hand it to a "legitimate" customer.

The use of SSN as a PIN amazes me. The security relying way to much on the fact that no-one is suppose to have access to your SSN. If you get your SSN I can go say my wallet was stolen and you need to have new ID's made. Then get a stack of credit cards in your name. In a couple of days I'll be more you than you are.
With so many people requesting to see you SSN in everyday life. This is a serious threat. My girlfriend was even asked to give up her SSN when she paid with a check at a grocery store because she was out of state.

Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html [choicepoint.com] you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!

As someone noted, Choicepoint/Database Technologies are the guys who were paid to scrub Felons from the Florida list of eligible voters before the 2000 & 2004 elections. If you live here you read about em in the papers constantly for shady activity, & they were in a few documentaries about the elections. They were paid an insane amount of money ($4 million no bid contract, see Jeb Bush, FL governor) for what they did, and did a horrible job in return. A few of the problems were they only matched parts of names, not whole names, gender, race, etc...so a black guy w/ a partial name match to a white felon would be unable to vote. This ended up disenfranchising thousands of black voters (frequently democrats) in the 2000 election where Bush only won by 500-600 votes in the state, which led to him winning the election.

At least until Blair and Clarke finish butchering the law to suit their own agenda, this sort of incident occuring in Europe would be almost impossible. The Data Protection Act would prevent ChoicePoint from allowing anyone other than you (besides law enforcement, with warrent) access to your personal information without your explicit consent. For example, when I graduated last summer, I had to sign a DPA waiver so that the University were permitted to release my grades to any potential employers who wanted to look at them in the course of a job application. Of course, all the new government databases in the UK that tie in with our glorious proposed national ID card scheme will be exempt from the DPA, but everyone else in the EU is still bound by it.

I keep fraud notices on my credit reports AT ALL TIMES. It is a slight hassle when I do want to open a new account, but that is so damn rare that it's worth the extra protection. I just wish the credit file locking option would be legislated nationwide.

Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:

"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."

...Is to make credit bureaus and data aggregators like Choicepoint liable for inappropriate data dissemination.

These companies are in a position of responsibility, but they don't seem to take it very seriously. The credit bureaus have already bribed their way into legislation that makes it your responsibility to correct errors in their data, not them. If we don't act now, they'll bribe (excuse me, I mean "make campaign donations") and get a free pass on handing out your data to the Russian mafia, too. I say make them liable for monetary damages, instead.

Institute it, and watch how fast their security improves. The attitude of: "Oh well, its not our problem" would be a thing of the past. OR somebody would sue them bankrupt. Either way, the consumer wins.

Plus, the idea of suing these bastards into bankruptcy appeals to me because of Choicepoint's role in George W. Bush's 2000 coup.